[CentOS] SSL CRIME
markus.falb at fasel.at
Tue Sep 25 08:45:00 EDT 2012
On 25.9.2012 00:37, Leon Fauster wrote:
> Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
>> On 09/24/2012 06:07 AM, Markus Falb wrote:
>>> Some of you have heard of CRIME, probably.
>>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>>>> Adding the following line to the /etc/sysconfig/httpd file:
>>>> export OPENSSL_NO_DEFAULT_ZLIB=1
>>> But there are other services but http that use ssl and are vulnerable?
>>> What is the optimal place for setting this environment variable system wide?
>>> I tried to set it in
>>> without success.
>> The setting only matters if programs look for it and do something with
>> it ... so you would need to set it for the user that starts whatever
>> service you are trying to protect, if that daemon actually uses the
>> Just because a variable does something in httpd, that does not mean the
>> same variable means the same thing to sshd or any other daemon.
> its in openssl itself (rhel5/6)
> IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ...
That was my understanding too. And instead of fixing X services I would
like to fix it for all services at once in one central location.
One could do it in /etc/init.d/functions maybe, but I doubt that it
would survive an update of initscripts.
Now that ssl compression got security relevant, maybe the openssl
default should be changed. Default off, enabled only explicit. Leon, I
know you suggested building a custom openssl package in an earlier
message, but to be honest, I am not very enthusiastic about maintaining
my own openssl. Maybe an upstream bugzilla should be filed.
Another related question: What services are vulnerable to CRIME or the
concepts behind CRIME and what services are not. Everyone is only
talking about http. For example I think that smtp is not vulnerable if
it does not support smtp auth, or maybe ftp is not vulnerable because it
does a separate data channel, and so on...
Kind Regards, Markus Falb
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 304 bytes
Desc: OpenPGP digital signature
Url : http://lists.centos.org/pipermail/centos/attachments/20120925/5df56b2b/attachment.bin
More information about the CentOS